Skip to main content
CVE-2026-47847 MEDIUM PATCH This Month

Hardcoded default credentials in Bitnami MariaDB Galera container images and Helm chart expose all default deployments to unauthenticated replication status enumeration over the network. The health-check user `monitor` with password `monitor` is granted REPLICATION CLIENT privileges from any host (`%`), meaning any network-accessible cluster running affected images (10.6.x through 12.3.x) or Helm chart prior to 18.3.0 can be accessed using these publicly known credentials. The Helm chart structurally prevented operators from overriding these credentials at deploy time, making the exposure pervasive across all standard chart-based deployments; no public exploit has been identified and the vulnerability is not in CISA KEV at time of analysis.

Debian Authentication Bypass Bitnami Mariadb Galera Bitnami Mariadb Galera Helm Chart
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9692 MEDIUM PATCH This Month

Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes.

Information Disclosure Mojolicious Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-47256 MEDIUM PATCH GHSA This Month

Path traversal and query-string injection in the OpenTelemetry Collector Contrib Sentry exporter allows any OTLP span sender to redirect the collector's operator bearer token to arbitrary Sentry API endpoints - including privileged admin, organization, and member management endpoints. The vulnerability stems from the `service.name` span attribute being interpolated directly into Sentry API URLs via `fmt.Sprintf` without validation, while the existing `projectSlugRegexp` safeguard is only applied to operator-configured mappings and never to runtime-derived slugs. No CISA KEV listing exists at time of analysis, but the GHSA advisory provides detailed exploitation steps demonstrating both a universally reliable query-string injection vector and a nginx-dependent path traversal vector, with a fixed version available at 0.154.0.

Path Traversal Nginx Kubernetes
NVD GitHub
CVSS 3.1
5.3
CVE-2026-55686 MEDIUM PATCH GHSA This Month

WORKDIR symlink traversal in Podman allows a malicious container image to create arbitrary directories - and under a race condition, modify ownership - directly on the host filesystem, breaking container isolation. Affected versions include Podman v5 through 5.7.0, v4 through 4.9.5, and v3 through 3.4.7; the flaw is in the WORKDIR path resolution logic, which fails to confine symlink dereferences to the container's mount namespace. Public proof-of-concept scripts are included in the vendor's GitHub advisory (GHSA-q6r4-3wmg-fwcq); no active exploitation has been confirmed via CISA KEV.

Information Disclosure Docker Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-48937 MEDIUM PATCH This Month

Denial-of-service exposure in Node.js HTTP/2 handling stems from integration defects with the nghttp2 library, addressed in the Node.js 24.17.0 'Krypton' LTS security release on 2026-06-18. Remote, unauthenticated attackers (per CVSS:3.0/PR:N/AV:N) can trigger availability degradation through crafted HTTP/2 traffic exploiting the flawed nghttp2 integration layer. The fix, commit a8a0d12875 in nodejs/node#62891, pairs an nghttp2 bump to version 1.69.0 with corrective integration patches; no public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.0
5.3
EPSS
0.4%
CVE-2026-9158 MEDIUM This Month

Use-after-free in Eclipse 4diac FORTE versions 3.0.0-3.1.0 allows adjacent, unauthenticated attackers to corrupt process memory by sending a specially crafted DELETE connection command to the management interface, leaving a dangling pointer exploitable by subsequent commands. The impact spans memory integrity corruption and availability loss (runtime crash), with a minor confidentiality exposure from stale freed-memory reads - meaningful risks in industrial automation deployments where FORTE orchestrates IEC 61499 distributed control logic. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the CVSS 4.0 supplemental Safety metric is marked Partial (S:P), flagging potential downstream safety consequences in OT environments.

Use After Free Memory Corruption Information Disclosure 4Diac Forte
NVD VulDB
CVSS 4.0
5.2
EPSS
0.2%
CVE-2026-54106 MEDIUM PATCH HOSTED Monitor

Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.

Microsoft Authentication Bypass Electronic Protest Docketing System Epds Electronic Docketing System Eds
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-50643 MEDIUM Monitor

Out-of-bounds read in 8cc, a small C compiler by rui314, allows a local attacker to crash the compiler and potentially disclose compiler process memory by supplying a crafted source file containing malicious #line directives or GNU linemarkers with oversized line numbers. The vulnerability arises because attacker-controlled filename and line number metadata embedded in source files is accepted and used without bounds validation when 8cc accesses internal source line arrays. No patch is available at time of analysis; the maintainer did not respond to CERT-PL's coordinated disclosure. No public exploit identified at time of analysis, though CERT-PL confirmed the vulnerability at commit b480958.

Information Disclosure Buffer Overflow 8Cc
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-11982 MEDIUM PATCH This Month

Stored XSS in Grav CMS's grav-plugin-api (Admin2) allows a low-privileged editor to persist malicious JavaScript in page content via the PATCH /pages API endpoint, which then executes in any administrator's or visitor's browser when the affected page is loaded. The root cause is that the API's partial-field validation path (validateChangedFields()) ran only type and required-field checks but omitted the XSS safety gate (Validation::checkSafety()), a check the classic Admin interface correctly enforced - creating a trust-boundary bypass exclusive to the REST API path. Publicly available exploit code exists via the Fluid Attacks advisory and the vendor's own regression test suite; no active exploitation (CISA KEV) has been confirmed.

XSS Grav Plugin Api
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54221 MEDIUM This Month

Reflected XSS in UBB.threads 7.7.5 enables remote attackers to execute arbitrary JavaScript in a victim's browser by tricking them into clicking a crafted URL containing malicious input. The vulnerability stems from improper handling of user-supplied data in HTTP requests, with impact scoped to the victim's browser session rather than the server itself. No public exploit code or active exploitation has been identified at time of analysis; vendor contact was unsuccessful, leaving patch status unresolved.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-54219 MEDIUM This Month

Stored XSS in UBB.threads 7.7.5 permits low-privileged forum members to permanently inject arbitrary JavaScript into post content and user profile fields, which then executes silently in any visitor's browser upon viewing the affected page. The vulnerability was discovered and disclosed by CERT-PL after unsuccessful vendor contact attempts, leaving remediation status unresolved. No public exploit code has been identified and no active exploitation is confirmed, but the persistent nature of the injection vector makes this a meaningful risk to forum users and administrators alike.

XSS Ubb Threads
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-11791 MEDIUM This Month

Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The `attr_syntax_swap_ht()` function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. Affected products span Red Hat Directory Server 11, 12, and 13 across RHEL 6 through 10; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.0 reflects the high-complexity, high-privilege prerequisites that substantially reduce real-world risk.

Use After Free Memory Corruption Denial Of Service Red Hat Directory Server 11 Red Hat Directory Server 12 +6
NVD VulDB
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-11360 MEDIUM This Month

SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress SQLi Advanced Order Export For Woocommerce
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-10736 MEDIUM This Month

SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.

WordPress SQLi Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11776 MEDIUM This Month

SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-11777 MEDIUM This Month

SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.

WordPress SQLi Form Maker By 10Web Mobile Friendly Drag Drop Contact Form Builder
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-55661 MEDIUM PATCH GHSA This Month

Stored XSS in TinaCMS rich-text rendering allows any content author with editor-level access to inject `javascript:` or `data:text/html` URLs into Slate link/image nodes, which execute in the browsers of editors and site visitors when affected content is viewed. Both `tinacms` (< 3.9.3) and `@tinacms/mdx` (< 2.1.7) are confirmed affected, with the vulnerable path covering case-variant, whitespace-padded, and control-character-obfuscated scheme bypass techniques indicating deliberate evasion of naive sanitization. No public exploit or CISA KEV listing exists; vendor-released patches are available.

XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-22674 MEDIUM PATCH This Month

Stored cross-site scripting in Hashgraph Guardian through 3.5.0 allows an authenticated user holding the STANDARD_REGISTRY role to inject persistent JavaScript payloads into the branding configuration's companyName field via the branding API endpoint. The injected script executes in every authenticated user's browser on every page load due to unsanitized innerHTML assignments in both the BrandingService and BrandingComponent Angular classes. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the fix diff is publicly visible in GitHub PR #6190, lowering the barrier for exploit development.

XSS Guardian
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-12047 MEDIUM PATCH This Month

HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.

Microsoft Google XSS Pgadmin 4
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-55890 MEDIUM PATCH GHSA This Month

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. A deterministic proof-of-concept ships with the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-55254 MEDIUM PATCH GHSA This Month

Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). The root cause is CWE-190 integer overflow in MathHelper.cs's factorial calculation logic, which previously lacked bounds validation, allowing operands well beyond any representable result to be passed directly to the computation loop. No public exploit or CISA KEV listing has been identified at time of analysis, though the triggering expressions are trivially constructable and documented in the advisory itself.

Integer Overflow Denial Of Service
NVD GitHub
CVSS 3.1
4.8
CVE-2026-48986 MEDIUM PATCH This Month

Infinite loop denial-of-service in pam_usb 0.9.1 and earlier can permanently hang authentication processes such as sudo, sshd, or login on Linux systems using USB hardware authentication. The flaw is in usb_get_process_parent_id(), which fails to initialize *ppid on failure; pusb_local_login() reuses the same variable as both input and output in a process-tree traversal loop, so if /proc/<pid>/stat becomes unreadable mid-authentication (e.g., an ancestor process exits during the auth window), the PID is never advanced and the loop never terminates. No public exploit has been identified and KEV listing is absent; the vendor-released patch is version 0.9.2, which is strongly recommended given the criticality of the affected authentication stack components.

Denial Of Service Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-48984 MEDIUM PATCH This Month

Insecure deallocation in pam_usb 0.9.1 and below leaves sensitive authentication material - including one-time pad (OTP) bytes read from removable media - resident in freed heap memory because the xfree() helper calls free() without first zeroing the buffer. On any system where a secondary use-after-free condition or heap inspection primitive is present within the same pam_usb process, an attacker could recover pad values or other credential material from those freed regions, potentially undermining the hardware authentication guarantee pam_usb is designed to provide. This is a defense-in-depth hardening gap patched in 0.9.2; no confirmed active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Pam Usb
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-11358 MEDIUM This Month

Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.

WordPress XSS Orbit Fox
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-48934 MEDIUM PATCH This Month

TLS session resumption in Node.js fails to bind reusable sessions to the originally authenticated host, enabling an information disclosure pathway. Affected versions are Node.js 26.x prior to 26.3.1 (Current channel), as disclosed in the June 2026 security release. An attacker with low network-level privilege can cause a cached TLS session-established and authenticated against one hostname-to be reused for a distinct, attacker-influenced host, potentially bypassing host-based authentication. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-12111 MEDIUM This Month

Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. Exposed records include customer names, email addresses, phone numbers, booking times, and freeform comments, making this a meaningful PII breach risk on multi-author WordPress installations. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

WordPress Information Disclosure Appointment Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10623 MEDIUM This Month

Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.

Authentication Bypass WordPress Pressprimer Quiz Ai Quiz Maker Exam Builder Lms Assessment Plugin
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10023 MEDIUM This Month

Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.

Authentication Bypass WordPress Dokan
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9199 MEDIUM This Month

Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.

Authentication Bypass WordPress Equalize Digital Accessibility Checker Wcag Ada Eaa And Section 508 Compliance
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11357 MEDIUM This Month

Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authenticated contributors to read the site's Kadence license key, license owner email, api_key, api_email, and license domain directly from the browser console via the JavaScript global window.kadence_blocks_params.proData. The credentials are serialized client-side through the editor_assets_variables mechanism and require no server-side manipulation to extract. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11784 MEDIUM This Month

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.

CSRF WordPress Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-54319 MEDIUM PATCH GHSA This Month

Path traversal in Daytona's sandbox volume mount handling (versions <= 0.185.0) allowed a crafted volume reference containing traversal sequences to theoretically resolve the runner's bind-mount source path outside the intended per-volume base directory, with a worst-case impact of cross-tenant read/write access to other tenants' FUSE-mounted volume data. Critically, the vendor confirmed the vulnerability was NOT exploitable in any released version: volume references pass through UUID-type database validation before reaching the runner, structurally rejecting traversal payloads and producing a server-side validation error instead of an unintended mount. No public exploit has been identified and the CVE carries no CISA KEV listing, consistent with a latent code-path defect rather than an active attack surface.

Canonical Information Disclosure
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-55669 MEDIUM PATCH GHSA This Month

Authentication bypass in ZITADEL's external JWT Identity Provider allows a legitimate user of a co-tenant service sharing the same enterprise IdP to authenticate to ZITADEL using a token issued for a different relying party. Affected versions span ZITADEL 3.0.0-3.4.11 and 4.0.0-4.11.0; the flaw arises because ZITADEL correctly validates the JWT cryptographic signature and `iss` claim but entirely omits validation of the `aud` claim, violating RFC 7519 audience binding semantics. No public exploit has been identified at time of analysis, and exploitation is tightly constrained to specific enterprise topologies where multiple services share a single trusted IdP.

Authentication Bypass Google
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-55701 MEDIUM PATCH GHSA This Month

Authentication bypass in the githubreceiver component of opentelemetry-collector-contrib (versions ≤ 0.150.0) allows unauthenticated attackers to inject arbitrary webhook payloads into the OpenTelemetry observability pipeline. The `required_headers` configuration field is validated at startup but never enforced by `handleReq()` at request time, meaning any HTTP POST to the webhook endpoint is accepted regardless of header values. The risk is compounded when the `Secret` field is left at its empty default, which causes `github.ValidatePayload` to skip HMAC verification entirely - leaving deployments that rely solely on `required_headers` for auth with zero effective authentication. No public exploit code exists at time of analysis, but the advisory provides sufficient implementation detail to trivially reproduce the bypass.

Authentication Bypass
NVD GitHub
CVE-2026-55617 MEDIUM PATCH GHSA This Month

Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. The vulnerability affects hydrooj npm package versions 4.10.4 through 5.0.1; no public exploit or KEV listing is identified, but the attack primitive is straightforward once a stale cookie is obtained.

Authentication Bypass
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy